PUA - AdFind.EXE Execution
Detects execution of Adfind.exe utility, which can be used for reconnaissance in an Active Directory environment
Sigma rule (View on GitHub)
1title: PUA - AdFind.EXE Execution
2id: 514e7e3e-b3b4-4a67-af60-be20f139198b
3related:
4 - id: 455b9d50-15a1-4b99-853f-8d37655a4c1b
5 type: similar
6status: experimental
7description: Detects execution of Adfind.exe utility, which can be used for reconnaissance in an Active Directory environment
8references:
9 - https://www.joeware.net/freetools/tools/adfind/
10 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md
11author: Swachchhanda Shrawan Poudel (Nextron Systems)
12date: 2025-02-26
13tags:
14 - attack.discovery
15 - attack.t1087.002
16logsource:
17 product: windows
18 category: process_creation
19detection:
20 selection:
21 - Image|endswith: '\AdFind.exe'
22 - OriginalFileName: 'AdFind.exe'
23 - Hashes|contains:
24 - 'IMPHASH=d144de8117df2beceaba2201ad304764'
25 - 'IMPHASH=12ce1c0f3f5837ecc18a3782408fa975'
26 - 'IMPHASH=bca5675746d13a1f246e2da3c2217492'
27 - 'IMPHASH=4fbf3f084fbbb2470b80b2013134df35'
28 - 'IMPHASH=49b639b4acbecc49d72a01f357aa4930'
29 - 'IMPHASH=53e117a96057eaf19c41380d0e87f1c2'
30 - 'IMPHASH=680dad9e300346e05a85023965867201'
31 - 'IMPHASH=21aa085d54992511b9f115355e468782'
32 condition: selection
33falsepositives:
34 - Unknown
35level: medium
References
-
AdFind AdFind Summary Command line Active Directory query tool. Mixture of ldapsearch, search.vbs, ldp, dsquery, and dsget tools with a ton of other cool features thrown in for good measure. This...
Read More -
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE
- Renamed AdFind Execution
- Malicious PowerShell Commandlets - ProcessCreation
- Potential Active Directory Reconnaissance/Enumeration Via LDAP
- AD Privileged Users or Groups Reconnaissance